Reporting for duty

In the aftermath of the credit crisis, major financial institutions are seeking to address flaws in risk management practices, changing the reporting lines for chief risk officers and committing additional resources. But broader structural and cultural changes are required to properly empower risk managers. Rob Davies reports

Apportioning blame for the losses that have, since the second half of 2007, decimated the balance sheets of several financial institutions in the US and Europe is a tricky business. The initial round of finger pointing at institutions that lost billions on subprime mortgage-linked investments focused on the chief executives.

Charles Prince at Citi, Merrill Lynch's Stan O'Neal and Peter Wuffli at UBS are the most high-profile chief executives to depart so far as a result of recent losses. But with the International Monetary Fund estimating the credit crisis could wipe as much as $945 billion from the global economy, figureheads at other institutions face intense scrutiny over how their firms respond to the turmoil. And at several banks, addressing weaknesses in risk management practices will be at the core of that response.

In recent months, several banks have appointed new chief risk officers (CROs), at group and divisional levels. Morgan Stanley has brought in Ken DeRegt as CRO, HSBC appointed Brian Robertson to the newly created post of group CRO, while Merrill Lynch took a different approach by hiring Edmond Moriarty and Noel Donohoe as co-CROs.

Other firms have added numbers to the risk function below the group CRO level. UBS appointed Tom Daula as CRO for its investment banking division and Philip Lofts as group risk chief operating officer, with both reporting to group CRO Joe Scoby. In addition to appointing Brian Leach as group CRO and acting head of risk for the bank's institutional clients group, Citi hired Suneel Bakhshi as head of risk for the global consumer banking group and the firm's North American business.

On top of those appointments, several banks have changed the reporting lines for CROs in an apparent effort to boost the credibility of the role. Traditionally, at the major US firms at least, CROs reported to chief operating officers, chief financial officers or company presidents. But recent months have seen a shift at several firms, including Bank of America, Citi, JP Morgan, Lehman Brothers, Merrill Lynch and Morgan Stanley, with CROs reporting directly to the chief executive.

According to Burke St John, New York-based head of the global financial services practice at executive search firm CTPartners, the CRO-chief executive reporting line is already considered best practice. "At firms in which this doesn't happen, significant risks may not bubble their way up to a level of prominence at which they can attract the chief executive's attention," he says.

Carl-Johan Granvik, Helsinki-based chief risk officer at Nordea, believes it is critical the CRO role is not subsidiary to business line managers. "I am a member of the executive management and report directly to the chief executive, which means I sit in on all essential meetings," he remarks. "If I reported to someone two or three ranks lower than the chief executive, I would not have the same mandate and would find it more difficult to state my case on a daily basis. It is the fact the risk management group operates on an equal footing that helps the function to work effectively."

Another commonly held view suggests that as long as the CRO is deemed a senior position, the specific reporting line is less relevant. "On the face of it, switching the reporting line might provide some additional comfort, but if the CRO is strong enough, you would expect them to take whatever actions are necessary in terms of escalating risks, so that all the people who need to know do know," says Simon Gurney, London-based CRO for the UK and Europe at Standard Chartered Bank.

The London-based group CRO at a global banking giant was even more direct. "It's largely irrelevant where the CRO reports - I report to the finance director. Where you report is less important than where you sit within the hierarchy of the organisation. As long as the CRO is present at the group management board level and their views are taken on board, that is all that matters," he argues.

Linking good risk management to the reporting line has, according to some observers, been overplayed. Goldman Sachs, for example, has written down $3 billion on its subprime portfolio to date - considerably less than most of its peers on Wall Street. However, the head of Goldman's risk function reports to the chief financial officer rather than chief executive. Consequently, although efforts to boost the CRO's status are welcomed by many, few believe a change in reporting lines will have dramatic consequences.

"There is no compelling evidence to suggest the CRO-chief executive reporting line would have mitigated the risk oversight weaknesses exposed during the credit crisis," contends Bimal Patel, Rockville, Maryland-based manager of corporate governance and policy at RiskMetrics. "One of the most important lessons to have emerged is the need for proper communication channels throughout the organisation, and embedding a culture where you are emphasising the board of directors' ability to monitor management's propensity to take on more risk."

Assuming that simply giving the CRO a direct line to the chief executive is not the crux of the issue, it might be reasonable to ask whether additional resources would help empower top-level risk managers. But one look at the money spent by banks on getting up to speed with regulatory changes such as Basel II over the past decade would suggest a lack of resources has not been a particular problem.

"The money spent on risk management has been substantial at most financial institutions," says Kevin Buehler, New York-based director at consulting firm McKinsey. "Perhaps some institutions were focused primarily on using those resources for regulatory compliance. However, just because you add resources, it does not necessarily follow they will be used to make better risk/return decisions."

In their efforts to identify specific risk management failures, some institutions have pointed to the structure of risk control units as an area of concern. This was certainly the case at UBS, which to date has written down $37.5 billion on its subprime-related holdings. The Swiss banking giant has publicly acknowledged clear divisions between its market and credit risk monitoring units, which hindered the firm's ability to look at related risks as part of a single portfolio.

Consequently, UBS has overhauled its risk management group. Central to this process is the integration of the monitoring and control of group market, credit and country risk into a single unit, called group portfolio and concentration risk control. The bank believes this will help break down information silos between different risk functions.

"The biggest change is that we will no longer organise the risk function along the lines of market, credit and country risk," explains Joe Scoby, Zurich-based group CRO at UBS. "Instead, we will have people dedicated to portfolios, as defined by the business, and others looking for concentrations of risk within or across portfolios. The goal is to break down silos and mix people with different skills and backgrounds, as I think this will improve risk vigilance and lead to more creative approaches to risk control."

Additional structural changes at UBS will see the creation of a risk committee to help determine the ceiling on risk exposures within the firm, while new units will be established for portfolio analysis, group risk methodology and an investment banking portfolio and concentration risk control team.

Of the major European firms, Deutsche Bank had a limited portfolio of subprime mortgage-linked investments. The firm's group CRO, Hugo Banziger, believes there is a strong link between performance and the structure of the risk management function. "The reason our performance remained strong is because we have an integrated risk management strategy - not only in terms of integrating credit and market risk, but also liquidity and capital risk management," asserts Banziger. "Risk management is also completely independent through the bank up to the top board level - we have our own systems in place and have invested heavily in IT in the past decade. For these reasons, we have a healthy check and balance system."

Beyond the integration of risk units, McKinsey's Buehler says firms need to put in place an explicit risk strategy. "Most banks have a business strategy. It would also be appropriate to put in place an explicit risk strategy that clearly defines which risks they would be advantaged to take, the quantity of those risks they are willing to take given their credit rating and available capital, and what returns they demand for the risks taken."

Banziger concurs: "If you do not set an explicit risk appetite for the firm, it is meaningless. We have a clearly defined risk appetite set out in a strategic paper we develop together with the business plan for the next year. This explicitly establishes the risk budget and business budget, which run in parallel." However, explicit definitions of risk appetite are not standard across the industry, while transparency - or lack thereof - when reporting exposures is also cited as a weak point at many institutions. "We still do not have the level of detail required in risk reporting," argues Richard Clayton, Washington, DC-based research director of CtW Investment Group, an independent shareholder activist group that has been critical of the risk management policies at several dealers. "In many cases, when looking at financial statements of a bank, it is difficult to gauge, for example, exactly how large a share of their loan investment portfolio is insured or supported by monoline guarantees. Because we don't know which of those insurers the large financial institutions are reliant on, we cannot properly understand the risks of those institutions."

While banks have focused on empowering the CRO, the consensus view holds that ultimate responsibility for establishing risk appetite lies with the board of directors. "Making sure the firm has adequate risk management is ultimately the responsibility of senior management, in particular the chief executive, subject to the oversight of the board," stated the Washington, DC-based International Institute of Finance (IIF) in its interim report in April.

"The board of directors clearly has the essential role in setting the parameters for risk taking," says one London-based CRO at a UK bank. "The board needs to articulate the appetite and ensure it matches the strategy set for the organisation. Your stated strategy is why shareholders buy your stock - if you then go and do something entirely different in terms of risk taking, it leaves you open to criticism."

The composition of boards of directors within banks - particularly in the US - has received extensive scrutiny over the past year. To prevent the chief executive from holding too much sway within an organisation, an emerging best practice in the US is to split the roles of chairman and chief executive. Approximately 37% of S&P 500 companies now do this - up from 30% in 2005. But this trend is less evident at Wall Street's largest banks. Until recently, when Wachovia and Washington Mutual separated the roles, common practice saw banks combine the chairman and chief executive positions.

"That structure does not provide adequate checks on the power of chief executives," argues CtW's Clayton. "Some of the hallmarks of good governance policy, including fully independent boards of directors and separating the chair and chief executive roles, lead to better performance and evaluation of transactions."

In its report, the IIF says: "Some firms would find it useful to have at least a portion of members of the risk committee of the board (or equivalent) individuals with technical sophistication in risk disciplines, or with solid business experience giving clear perspectives on risk issues."

Lawrence Dunn, London-based head of the Europe, Middle East and Africa business at RiskMetrics, says it is not essential for every single director to be a risk management expert, but argues having directors with a broad skill base can be of real benefit to banks.

"True risk management is creative - there is a judgement element to it. Scenarios need to reflect economic and political factors, as well as industry-specific issues. A widely experienced board of directors can bring that kind of insight into helping risk managers ask the right kind of questions," says Dunn.

While difficult to quantify, the risk culture within banks is, to some observers, the biggest determinant of an effective risk management strategy. The few public utterances on the topic by Goldman Sachs - widely considered as having the best risk culture on Wall Street - give some indication of its approach. Speaking at the Credit Suisse Group Financial Services Forum in February, group chief financial officer David Viniar said: "The basic framework of our risk management culture is to put the right people in the right seats, provide them with an appropriate level of data and have a consistent dialogue between our traders, controllers, risk managers and senior management. It is well known that the best risk managers among our traders end up at the most senior levels of the firm."

As to what constitutes a good risk culture, UBS's Scoby defines the component parts as candour, curiosity, teamwork, creativity, effort and disciplined alignment with shareholders' goals and expectations.

Getting it

According to RiskMetrics' Dunn, there are some firms that simply 'get' risk management and those that do not: "Differences in performance are certainly related to the culture that has been created and communication style. It is not so much about empowering one group with ultimate decision-making power: it is more about having a process where groups can collectively arrive at a decision. Risk management is not just a box to tick out of some real or perceived obligation - it is actually a beneficial tool that helps firms arrive at good decisions," he says.

Although a wholesale shift in attitude towards risk management might appear radical, a failure to tackle structural weaknesses could leave the industry open to future crises.

"Over the past 20 years in the financial markets, we have had some kind of crisis every three to four years. If you look at the competitive pressures that result in these kinds of shocks, you can conclude the banking industry is susceptible to the herd mentality, with everyone pursuing the same business," says Standard Chartered's Gurney. "What you have to do is try and change that behaviour, which is why addressing the issue of incentives is so important, as is having a culture where the risk management function has authority and is expected to intervene. It is not going to be the case that crises never happen again, but structural changes can reduce the likelihood of cross-industry losses happening."

This white paper looks at the Basel Committee's BCBS239 principles, also known as PERDARR (Principles for Effective Risk Data Aggregation and Risk Reporting), which comes into force from 1 January 2016.

Download Risk Journals iPad apps

US insurer MetLife is fighting its designation as a systemically important financial institution - a label handed out by the FSOC in December. State supervisors are also questioning the decision: www.risk.net/2391615. Should MetLife be supervised as a Sifi?